This chapter describes issues associated with the upgrade and migration process of Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0). It includes the following sections:
This section describes issues related to upgrading the following:
Upgrading Oracle Identity and Access Management components from 11g Release 2 (11.1.2.1.0) to 11g Release 2 (11.1.2.2.0)
Upgrading Oracle Identity and Access Management components from 11g Release 2 (11.1.2) to 11g Release 2 (11.1.2.2.0)
Upgrading Oracle Identity and Access Management components from 11g Release 1 (11.1.1.7.0) to 11g Release 2 (11.1.2.2.0)
Upgrading Oracle Identity and Access Management components from 11g Release 1 (11.1.1.5.0) to 11g Release 2 (11.1.2.2.0)
Upgrading Oracle Identity and Access Management components from 9.1.x.x to 11g Release 2 (11.1.2.2.0)
For the list of upgrade, migration, and patching issues reported in 11g Release 2 (11.1.2.1.0), see "Upgrade, Migration, and Patching Issues for Oracle Identity and Access Management" in the Oracle Fusion Middleware Release Notes for 11g Release 2 (11.1.2.1.0).
For the list of upgrade issues reported in 11g Release 2 (11.1.2), see "Upgrade and Migration Issues for Oracle Identity and Access Management" in the Oracle Fusion Middleware Release Notes for 11g Release 2 (11.1.2).
This section describes general issues and workarounds related to the upgrade scenarios. It includes the following topic:
Section 3.1.1.1, "Upgrade User Form Does Not Upgrade UDF of Type LOV Correctly"
Section 3.1.1.5, "Harmless Error After Applying Interim Patch 14481477"
Section 3.1.1.7, "Classpath Issue While Patching Oracle Identity Manager Middle Tier"
Section 3.1.1.8, "OAuth Service Policy is Missing After Upgrade"
Section 3.1.1.10, "Errors While Starting OIM Server After Successful Upgrade"
Section 3.1.1.12, "Exception When Upgrading Oracle Identity Manager Middle Tier"
Section 3.1.1.14, "Error While Starting OIM Server After Upgrading OIM 9.1.x.x to 11.1.2.2.0"
Section 3.1.1.16, "Error in Upgrade log file After Upgrading OAAM Admin and OAAM Offline Servers"
Section 3.1.1.17, "Error Message While Starting OAAM Admin and Managed Servers After Upgrade"
Section 3.1.1.18, "Some Apps are in Prepared State After Upgrade"
Section 3.1.1.20, "Grant/Revoke Requests Cannot be Viewed After OIM Upgrade"
Section 3.1.1.22, "Exception in Log File After OAAM Upgrade"
Section 3.1.1.23, "OAAM Administration Server Shows Version 11.1.2.1.0 After Upgrade"
Section 3.1.1.24, "OAAM Admin Redeploy Does Not Work When Upgrading OAAM to 11.1.2.2.0"
Section 3.1.1.26, "Error While Executing ConfigureSecurityStore.py"
Section 3.1.1.28, "LabelExistsException While Starting Oracle Identity Manager Server After Upgrade"
Section 3.1.1.31, "Exception When you Click on 'Edit' link After Creating Application Instance"
Section 3.1.1.35, "Exception When Opening a User After Upgrading Oracle Identity Manager"
This issue occurs when you upgrade Oracle Identity Manager 9.x or Oracle Identity Manager 11g Release 1 (11.1.1.5.0) to Oracle Identity Manager 11g Release 2 (11.1.2.2.0). The LOV fields for User, Role, and Organization Forms on User Interface are not upgraded correctly.
You must apply the following workaround before you click on Upgrade User Form or Upgrade Role Form or Upgrade Organization Form. This workaround should not be applied after Upgrade User Form is completed.
The workaround is as follows:
Log in to the /sysadmin console using the following URL:
http://OIM_HOST:OIM_PORT/sysadmin
Create and activate a sandbox.
Click Form Designer.
Search for User form, and open it.
For each LOV UDF, create the UDF with the name same as the UDF name in the User.xml file. Make sure you select both Searchable and Searchable Picklist.
Repeat for all the searchable LOV fields of Role and Organization forms.
Publish the sandbox.
In Oracle Access Manager Release 2 (11.1.2.2.0), the System Mbean Configuration files have been modified to remove the dependency on domain home. The copyMbeanXmlFiles command moves the domain Mbean jars out of the domain home to eliminate any future upgrade or patching issues.
After you have applied the 11.1.2.2.0 patch, you must run the following WLST commands to complete the patching process for OAM:
After applying the 11.1.2.2.0 patch set, use the Patch Set Assistant to update the Oracle Access Manager Components as described in "Updating Your Schemas with Patch Set Assistant".
Make sure that you select Oracle Access Manager on the Select Component screen.
After a successful run of the Patch Set Assistant, navigate to the following directory and execute the copyMbeanXmlFiles command, as shown in the example below.
You must specify the directory paths for your Middleware and OAM Oracle homes. Directories below are shown as examples only.
On Unix operating systems:
cd $ORACLE_HOME/common/bin/wlst.sh
copyMbeanXmlFiles ('/MW_HOME/user_projects/domains/my_domain',' '/MW_HOME/Oracle_IDM') where 2nd parameter <OAM_ORACLE_HOME> is optional.
On Windows operating systems:
cd $ORACLE_HOME/common/bin/wlst.sh
copyMbeanXmlFiles('C:\\Oracle\\MW_HOME\\user_projects\domains\\my_domain','C:\\Oracle\\MW_HOME\\Oracle_IDM') where 2nd parameter <OAM_ORACLE_HOME> is optional.
After a successful run of the above command, verify that the 11.1.2.2.0 Mbean XML files are copied to the following locations:
<DOMAIN_HOME>/config/fmwconfig/mbeans
<DOMAIN_HOME>/config/fmwconfig
In an Oracle Identity Manager 11g Release 2 (11.1.2.2.0) deployment that has been upgraded from 11g Release 2 (11.1.2.2.0) or 11g Release 2 (11.1.2), SOA email notification may not work in some cases. To ensure that the workaround described in this section is applicable, do the following:
Ensure that the WebLogic Administration Server and SOA Managed Server(s) are running.
Log in to the Oracle Enterprise Manager.
Expand Weblogic Domain in the left pane.
Right-click on the WLS_DOMAIN, and select System MBeans Browser.
Go to Application Defined MBeans, and click the following in the order specified:
oracle.as.soainfra.config
WorkflowIdentityConfig
human-workflow
WorkflowIdentityConfig.ConfigurationType
jazn.com
WorkflowIdentityConfig.ConfigurationType.ProviderType
JpsProvider
WorkflowIdentityConfig.ConfigurationType.ProviderType.PropertyType
jpsContextName
Check the Value attribute. If value is default, the workaround described in this section is not applicable, and you should check email driver configuration in Enterprise Manager.
If value is oim, you must apply the workaround described in this section.
To workaround this issue, complete the following steps:
Update the JpsContextName MBean. To do so:
Login to Oracle Enterprise Manager.
On the left pane, expand Weblogic Domain.
Right-click WLS_DOMAIN, and select System MBeans Browser.
Go to Application Defined MBeans, com.oracle.sdp.messaging, Server: soa_server1, Application:usermessagingserver, SDPMessagingServerConfig, ServerConfig, JpsContextName.
Enter oim as the value, and click Apply.
Restart the SOA Server.
After you have applied the Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) patch, the AD User Management 11.1.1.5.0 reconciliation profile used for Oracle Identity Manager may be overwritten.
To correct this issue, open the "Active Directory Organization Recon" job and clear the last token listed (if it its has a specified value) and run the job.
If Interim Patch 14481477 was applied to the existing Oracle Identity and Access Management 11g Release 2 (11.1.2.0.0) environment before applying the 11.1.2.2.0 patch, you may see the following warning. You can safely ignore this error message.
Error Message:
OUI-10221:The install touches a component that is patched by interim patches'Interim Patch# 14481477'. The interim patches affect other components not included in the install. You may rollback the interim patches 'Interim Patch# 14481477'using OPatch for consistency before performing the upgrade. You may also choose to ignore this warning and continue with the upgrade. If you choose to continue, the conflicting patches will be removed from the inventory. However, some files that are not updated during the upgrade may be left behind. Contact Support to check applicability and availability of interim patches 'Interim Patch# 14481477' for this install. Do you want to ignore the patch conflicts and continue with the upgrade?.
After you have applied the Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) patch, some of the transaction screens may not open properly. To correct this issue, delete the server-level temporary directories as described below.
Shut down all of the managed servers.
Navigate to the following directory:
cd $MIDDLEWAREHOME/user_projects/domains/$<DOMAINNAME>/servers/
For each of the servers located in the /servers directory, delete the contents of the _WL_user folder in the /tmp directory.
For example, if you have an OIM Managed Server on a Unix operating system, you would remove the contents of the /_WL_user directory in the following location:
$MW_HOME/user_projects/domains/$<DOMAINNAME>/servers/$OIMMANAGEDSERVERNAME/tmp/_WL_user
Repeat the process for each server in the /servers directory and restart the managed servers.
If you receive the following error message while updating your Oracle Identity Manager (OIM) Middle Tier from 11.1.2.0.0 to 11.1.2.2.0, you must update the ucp.jar classpath in the OIMUpgrade.sh script.
Error Message:
Exception in thread "main" java.lang.NoClassDefFoundError: oracle/ucp/jdbc/PoolDataSourceFactory
To correct this issue, update the OIMUpgrade.sh script as described below:
Navigate to <MW_HOME>/Oracle_IDM1/server/bin
Open OIMUpgrade.sh in edit mode.
Replace the path for $OIM_HOME/server/ext/ucp.jar in MDSJARS classpath settings with the following:
$MW_HOME/oracle_common/modules/oracle.ucp_11.1.0.jar
Save the OIMUpgrade.sh file and then run OIM Middle Tier upgrade as described in "Upgrading Oracle Identity Manager Middle Tier Using Property File".
This issue occurs if you upgrade an Oracle Access Management 11.1.2.0.0 environment to version 11.1.2.2.0. The ms_oauth/oauth2/** policy that is required for OAuth Services is missing. To correct this issue, complete the following steps.
Follow the steps in the "Configuring a WebGate to Support Mobile and Social" section of the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Add the encrypted password from Mobile Services to the OAuthServiceProvider configuration:
Sign in to the Oracle Access Management console.
The Launch Pad opens.
In the Mobile and Social section, click Mobile Services.
The "Welcome to Oracle Access Management Mobile and Social - Mobile Services" page opens.
In the Service Providers section, select OAMAuthentication and click Edit.
The OAMAuthentication "Service Provider Configuration" page opens.
In the WebGate Agent section, locate the Encrypted Password field, click Show in clear text, and copy the password.
Click the Launch Pad tab and click OAuth Service in the Mobile and Social section.
The OAuth Identity Domains page opens.
Click the identity domain in use. If multiple identity domains are in use, repeat steps f through i for each one.
The Identity Domain Configuration page opens.
Click the OAuth Service Providers tab, then click OAuthServiceProvider.
The Service Provider configuration page opens.
In the Attributes section, locate the oam.ENCRYPTED_PASSWORD attribute name and paste the encrypted password into the Value field.
Click Save.
This issue occurs when you upgrade Oracle Access Management Access Manager 11g Release 2 (11.1.2) to 11.1.2.2.0. The upgrade logs have the messages "the Prerequisite check "CheckApplicable" failed" and "Required component(s) missing". You can ignore these messages.
This issue occurs when you upgrade Oracle Identity Manager to 11.1.2.2.0. After the successful upgrade, when you start the Oracle Identity Manager Server for the first time, the following error messages are displayed in the OIM server log:
<Nov 15, 2013 6:27:17 AM PST> <Emergency> <oracle.dfw.incident> <BEA-000000> <incident 5 created with problem key "DFW-99998 [java.lang.NoClassDefFoundError][oracle.iam.request.repository.RequestDatasetU pdateListener.metadataObjectChanged][oracle.iam.console.identity.sysadmin.ear] "> <Nov 15, 2013 6:27:17 AM PST> <Emergency> <oracle.dfw.incident> <BEA-000000> <incident 3 created with problem key "DFW-99998 [java.lang.NoClassDefFoundError][oracle.iam.request.repository.RequestDatasetU pdateListener.metadataObjectChanged][oracle.iam.console.identity.self-service. ear]"> <Nov 15, 2013 6:27:17 AM PST> <Emergency> <oracle.dfw.incident> <BEA-000000> <incident 4 created with problem key "DFW-99998 [java.io.FileNotFoundException][oracle.iam.platform.utils.SpringBeanFactory.cr eateBeanFactory][oracle.iam.console.identity.self-service.ear]"> <Nov 15, 2013 6:27:17 AM PST> <Emergency> <oracle.dfw.incident> <BEA-000000> <incident 2 created with problem key "DFW-99998 [java.io.FileNotFoundException][oracle.iam.platform.utils.SpringBeanFactory.cr eateBeanFactory][oracle.iam.console.identity.sysadmin.ear]">
This is a known issue. The workaround for this issue is to restart the Oracle Identity Manager Server.
This issue occurs when you upgrade Oracle Access Management Access Manager 11g Release 2 (11.1.2) to 11.1.2.2.0. After upgrading Access Manager 11.1.2 to 11.1.2.2.0, the obLockedOn attribute will be missing from the Oracle Internet Directory (OID). You must add this attribute back to the Oracle Internet Directory.
The workaround for this issue is as follows:
Manually add the obLockedOn attribute to the schema.
Import the LDIF to OID by running the ldapmodify command.
Edit the oam_user_write_acl_users_oblockedon_template.ldif to give oamSoftwareUser permission to modify obLockedOn.
Import the modified oam_user_write_acl_users_oblockedon_template.ldif.
This issue occurs when you upgrade Oracle Identity Manager 11g Release 1 (11.1.1.7.0), or 11g release 1 (11.1.1.5.0), or 9.1.x.x to 11.1.2.2.0. The following exception is displayed when you upgrade Oracle Identity Manager middle tier:
Error Code: 900 Call: EXECUTE PROCEDURE OIM_RECOMPILE_DB_OBJECTS() Query: DataModifyQuery() Dec 16, 2013 10:15:39 PM com.thortech.util.logging.Logger info INFO: Result Size = 1 PACKAGE STATUS = VALID Dec 16, 2013 10:15:39 PM com.thortech.util.logging.Logger info INFO: Recompiling packages - RDBMS [EL Warning]: 2013-12-16 22:15:39.957--ClientSession(476657190)--Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException Internal Exception: java.sql.SQLSyntaxErrorException: ORA-00900: invalid SQL statement
This is a harmless exception. You can ignore this exception.
This issue occurs when you upgrade Oracle Identity Manager 11g Release 2 (11.1.2) with Active Directory 11.1.1.5.0 connector to Oracle Identity Manager 11g Release 2 (11.1.2.2.0). After you upgrade Oracle Identity Manager 11.1.2 to 11.1.2.2.0, Active Directory user management 11.1.1.5.0 reconciliation profile gets corrupted.
The workaround for this issue is as follows:
You must regenerate the reconciliation profile by completing the following steps:
Log in to the Oracle Identity Manager 11.1.2.2.0 Design Console by running the following command from the location ORACLE_HOME/designconsole/:
On UNIX: ./xlclient.sh
On Windows: xlclient.cmd
Expand Resource Management.
Click Resource Objects.
Search for the name Xellerate Organization.
In the Resource Object details page, go to the Object Reconciliation tab.
Click Create Reconciliation Profile. A message will pop up when the profile is created successfully.
This issue occurs when you upgrade Oracle Identity Manager 9.1.x.x to 11.1.2.2.0. After upgrading to 11.1.2.2.0, when you start the OIM Server, the following error is displayed:
<Oct 3, 2013 2:26:09 AM PDT> <Error> <oracle.iam.platform.utils.SpringBeanFactory> <BEA-000000> <Instantiating Spring Bean Factory Failed.IOException parsing XML document from class path resource [META-INF/iam-spring-config.xml]; nested exception is java.io.FileNotFoundException: class path resource [META-INF/iam-spring-config.xml] cannot be opened because it does not exist>
This error message can be ignored.
This issue occurs when you upgrade Oracle Adaptive Access Manager 11g Release 2 (11.1.2.1.0) to 11g Release 2 (11.1.2.2.0). After upgrading to 11.1.2.2.0, when you log in to the OAAM Admin Server or OAAM Offline Server for the first time, the following warning message is displayed:
[oracle.mds] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ruleAdmin1] [ecid: d19903e12f34a6b2:72dcd919:141cc6b890e:-8000-0000000000000620,0] [APP: oaam_admin#11.1.2.0.0] Error occurred when raising audit event "<none>" for component "ADF-MDS".[[
This is a harmless warning message. You can ignore this warning.
This issue occurs when you upgrade Oracle Adaptive Access Manager 11g Release 2 (11.1.2) to 11g Release 2 (11.1.2.2.0). After you upgrade OAAM Admin Server and OAAM Offline Server to 11.1.2.2.0, the following error is seen in the upgrade log file:
"<Oct 10, 2013 2:47:19 PM PDT> <Error> <oracle.adfinternal.view.page.editor.utils.ReflectionUtility> <WCS-16178> <Error instantiating class - oracle.adfdtinternal.view.faces.portlet.PortletDefinitionDTFactory> "
This is a harmless error message. You can ignore this error.
This issue occurs when you upgrade Oracle Adaptive Access Manager 11g Release 1 (11.1.1.5.0) to 11g Release 2 (11.1.2.2.0). After the upgrade process, when you start the OAAM admin and managed servers, the following exception is displayed as a notification:
[2013-10-24T13:20:01.698-07:00] [oaam_admin_server1] [NOTIFICATION] [] [oracle.adfdt.model.mds.MDSApplicationService] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: d19903e12f34a6b2:-55051c63:141ebc57e5a:-8000-000000000000019f,0] [APP: oaam_admin#11.1.2.0.0] [[ oracle.mds.exception.NoTipCustomizationLayerException: MDS-00091: Unable to customize /oracle/oaam/view/DataBindings.cpx, empty or null value for tip customization layer user at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:4150) at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:2110) at oracle.mds.core.MDSSession.getMutableMO(MDSSession.java:1985) at oracle.adfdt.model.mds.MDSApplicationService.findApplication(MDSApplicationSer vice.java:58) at oracle.adfdt.model.mds.MDSModelDesignTimeContext.initServices(MDSModelDesignTi meContext.java:232) at oracle.adfdt.model.mds.MDSModelDesignTimeContext.<init>(MDSModelDesignTimeCont ext.java:82) at oracle.adfdt.mds.MDSDesignTimeContext.<init>(MDSDesignTimeContext.java:81) at oracle.adfdt.mds.MDSDesignTimeContext.<init>(MDSDesignTimeContext.java:69) at oracle.adfinternal.view.page.editor.Page.getDesignTimeBindingContainer(Page.ja va:618) at
This is a harmless error message. You can ignore this error.
After you upgrade Oracle Adaptive Access Manager 11g Release 1 (11.1.1.5.0) to 11g Release 2 (11.1.2.2.0), the following Apps are in 'Prepared' state:
oaam_admin
oaam_offline
oaam_server
This is a known issue. The workaround for this issue is to login to the WebLogic console and start these three apps manually.
After you upgrade Oracle Adaptive Access Manager 11g Release 1 (11.1.1.7.0) to 11g Release 2 (11.1.2.2.0), when you login to EM, and click Identity & Access and then click OAAM, the following error message is displayed:
"Oracle Adaptive Access Manager Cluster" is down.
To resolve this issue, perform the following steps:
Open the file $DOMAIN_HOME/config/fmwconfig/mbeans/oaam-cluster-mbeans.xml in a text editor.
Change the location attribute value in the <runtime-mbeans> xml tag from oaam/oaam_mbeans.jar to ${oracle.oaam.home}/mbeans/lib/oaam_mbeans.jar.
This issue occurs after you upgrade Oracle Identity Manager 11g Release 1 (11.1.1.5.0) to 11g Release 2 (11.1.2.2.0). Grant/revoke requests raised for roles with OIM Roles role category cannot be viewed after upgrade. After upgrade, when you create a request in 11.1.1.5.0, the following error message is displayed in the UI:
IAM-7130211 : No Detail found for specified catalog item.
These requests are not valid in 11g Release 2 (11.1.2.2.0), as these roles are not to be added to the Catalog.
This issue occurs when you upgrade Oracle Identity Manager 11g Release 1 (11.1.1.5.0) to 11g Release 2 (11.1.2.2.0). Following error is displayed in the middle tier upgrade logs during REQUEST_TYPE upgrade:
oracle.mds.exception.MDSRuntimeException: MDS-00003: error connecting to the database
Exception occurred while getting connection:
oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from
Datasource: java.sql.SQLException: Listener refused the connection with the following error:
ORA-12519, TNS:no appropriate service handler found
at
oracle.mds.internal.persistence.db.fcf.ConnectionManagerCallback.<init>(Connec
tionManagerCallback.java:77)
at
oracle.mds.persistence.stores.db.DBMetadataStore.checkRepositoryCompatibility(
DBMetadataStore.java:1004)
at
oracle.mds.persistence.stores.db.DBMetadataStore.checkCompatibility(DBMetadata
Store.java:1269)
at
oracle.mds.persistence.stores.db.DBMetadataStore.<init>(DBMetadataStore.java:4
47)
at
oracle.mds.persistence.stores.db.DBMetadataStore.<init>(DBMetadataStore.java:3
99)
at oracle.iam.oimupgrade.standalone.utils.MDSUtil.<init>(MDSUtil.java:82)
at
oracle.iam.oimupgrade.standalone.feature.request.UnsupportedRequestTypeUpgrade
.updateRequestMetaData(UnsupportedRequestTypeUpgrade.java:120)
at
oracle.iam.oimupgrade.standalone.feature.request.UnsupportedRequestTypeUpgrade
.doUpgrade(UnsupportedRequestTypeUpgrade.java:75)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Even though the above error message is displayed, REQUEST_TYPE upgrade is reported as successful. However, for new modify profile requests, track requests page will show Request Type as blank.
To resolve this issue, perform the following steps:
Set upgraded flag to N for the REQUEST_TYPE upgrade feature by running the following query:
Note:
The query must be run as OIM Schema user.update Upgrade_feature_state set FEATURE_UPGRADE_STATE='LOADED',IS_FEATURE_UPGRADED='N' where feature_id like 'PS1PS2UPG.REQUEST_TYPE'; commit;
Rerun the middle tier upgrade. For more information, see the Upgrading Oracle Identity Manager Middle Tier section of the Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management.
This issue occurs after you upgrade Oracle Adaptive Access Manager 11g Release 1 (11.1.1.5.0) to 11g Release 2 (11.1.2.2.0). After the upgrade process, when you start the OAAM admin and managed servers, the following exception is displayed as a warning in the AdminServer-Diagnostic.log file:
WARNING "JAVAX.MANAGEMENT.INSTANCENOTFOUNDEXCEPTION"
This is a harmless error message. You can ignore this error.
This issue occurs when you upgrade Oracle Adaptive Access Manager 11g Release 2 (11.1.2.1.0) Bundle Patch 01 (BP01) to 11.1.2.2.0, and if you had not applied Bundle Patch 01 correctly. If you had not applied BP01 correctly when you upgraded OAAM 11.1.2.1.0 to 11.1.2.1.0 BP01, and if you still upgrade to 11.1.2.2.0, you will continue to see the product version as 11.1.2.1.0 on the OAAM Administration Server.
The workaround for this issue is as follows:
Check if the servers have directory named stage at the location MW_HOME/user_projects/domains/<domain_name>/<server_name>/stage and if oaam_admin.ear is present in the stage directory.
If oaam_admin.ear file is present in the stage directory, you must undeploy the oaam_admin.ear application, and deploy it again using the WebLogic Administration console. When you install the oaam_admin.ear application, make sure you select I will make the deployment accessible from the following location on the Source Availability screen, and point to the location ORACLE_HOME/oaam/oaam_admin/ear/oaam_admin.ear directory.
This issue occurs when you upgrade Oracle Adaptive Access Manager 11g Release 2 (11.1.2.1.0) Bundle Patch 01 (BP01) to 11.1.2.2.0. When upgrading OAAM to 11.1.2.2.0, OAAM_Admin redeploy does not work.
The workaround for this issue is to undeploy the oaam_admin.ear application, and deploy it again to the target oaam_admin_server1 from the location ORACLE_HOME/oaam/oaam_admin/ear/oaam_admin.ear. You can deploy the application using WebLogic Administration console or WLST command.
After you upgrade Oracle Identity Manager to 11.1.2.2.0, few OIM Database objects may temporarily be in INVALID state due to alterations in underlying dependencies. Such objects get auto compiled on first time invocation in Oracle Database. However, you can optionally recompile the INVALID objects. To identify and recompile the INVALID schema objects, do the following:
Identify INVALID schema objects by running the following SQL query as SYS or DBA schema owner:
SELECT owner,object_type,object_name, status FROM dba_objects WHERE status='INVALID' AND owner in ('<Schema_Name>') ORDER BY owner, object_type, object_name;
Recompile the INVALID objects by executing the following block for each of the affected schemas as SYS or DBA schema owner:
BEGIN
UTL_RECOMP.recomp_serial('<Schema_Name>');
END;
During the Oracle Entitlements Server 11.1.2.2.0 upgrade process, Opatch (17403853) does not get applied, and when you execute configureSecurityStore.py, the following error message is displayed:
Caused by: javax.persistence.RollbackException: Exception [EclipseLink-4002]
(Eclipse Persistence Services - 2.3.1.v2011 1018-r10243):
org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.BatchUpdateException: ORA-00001: unique
constraint (RC5WIN_OPSS.IDX_JPS_RDN_PDN) violated .
Error Code: 1
Query: InsertObjectQuery(EntryId = 12238:Attribute RowId = 52658 dn =
cn=CredentialStore,cn=IAM,cn=JPSContext,cn=jpsroot)
at
org.eclipse.persistence.internal.jpa.transaction.EntityTransactionImpl.commitI
nternal(EntityTransactionImpl.java:102)
at
org.eclipse.persistence.internal.jpa.transaction.EntityTransactionImpl.commit(
EntityTransactionImpl.java:63)
at
oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager$8.run(JpsDBDat
aManager.java:1487)
at
oracle.security.jps.internal.policystore.rdbms.JpsDBDataManager.internalCommit
Txn(JpsDBDataManager.java:1492)
The workaround for this issue is to perform all upgrade steps in the correct sequence. To fix the above issue, perform the upgrade steps in the following sequence:
Run Opatch to apply the patch 17403853.
Re-run configureSecurityStore.py.
This issue occurs when you upgrade Oracle Identity Manager 11g Release 2 (11.1.2.1.0) high availability environments to Oracle Identity Manager 11g Release 2 (11.1.2.2.0).
When you start the Oracle Identity Manager Server for the first time after upgrading the Oracle Identity Manager middle tier, the following error is displayed:
<AuthPolicyMergeListener : loadPolicies() : Problem in seeding authorization policies. Please verify if you have run Middle Tier Upgrade before starting OIM Server. Please restart the application after running Middle Tier Upgrade. If the problem still occurs, refer to the documentation to manually update the authorization policies access denied (oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:APPLICATION Context Name:OracleIdentityManager Admin Resource:APPLICATION_POLICY Actions:manage)> java.security.AccessControlException: access denied (oracle.security.jps.service.policystore.PolicyStoreAccessPermission Context:APPLICATION Context Name:OracleIdentityManager Admin Resource:APPLICATION_POLICY Actions:manage)
The workaround for this issue is to restart the Oracle Identity Manager Server.
This issue occurs when you upgrade Oracle Identity Manager 11g Release 2 (11.1.2.1.0) high availability environments to Oracle Identity Manager 11g Release 2 (11.1.2.2.0).
When you start the Oracle Identity Manager Server after upgrading Oracle Identity Manager 11.1.2.1.0 high availability environments to 11.1.2.2.0, the following exception is thrown:
<Dec 15, 2013 10:19:11 PM PST> <Error> <oracle.mds> <BEA-000000> <An Exception occured during the pre-deploy label creation: preDeployLabel_OIMMetadata#11.1.2.0.0 oracle.mds.versioning.LabelExistsException: MDS-01906: A label with same name. preDeployLabel_OIMMetadata#11.1.2.0.0 already exists.
The workaround for this issue is to restart the Oracle Identity Manager Server.
This issue occurs when you create IDS or ESSO profile after upgrading Oracle Access Manager 11g Release 1 (11.1.1.5.0) to Access Manager 11g Release 2 (11.1.2.2.0).
The workaround for this issue is as follows:
Create the directory $DOMAIN_HOME/config/fmwconfig/ovd/ids.
Copy the files from $MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/domain_config/ovd/ids/* to $DOMAIN_HOME/config/fmwconfig/ovd/ids/.
Copy the file $MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/domain_config/mbeans/ovd-ids-mbeans.xml to $DOMAIN_HOME/config/fmwconfig/mbeans.
Restart the WebLogic Administration Server and the Access Manager Managed Server(s).
This issue occurs when you upgrade Oracle Identity Manager 11g Release 2 (11.1.2) to 11g Release 2 (11.1.2.2.0). After upgrading Oracle Identity Manager 11.1.2 to 11.1.2.2.0, when you access My Entitlements page, the following error is displayed:
javax.el.PropertyNotFoundException: The class 'oracle.iam.ui.authenticated.myaccess.bean.MyAccessEntitlementsBean' does not have the property 'selectedUserDeleted'.
The workaround for this issue is as follows:
Export the file /oracle/iam/ui/authenticated/myaccess/pages/mdssys/cust/site/site/myEntitlements.jsff.xml from MDS ('oim-ui' partition). For information about exporting file to MDS, see "Exporting Metadata Files to MDS" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Open the myEntitlements.jsff.xml file and replace all the occurrences of "pageFlowScope.MyAccessEntitlementsBean.selectedUserDeleted" with "backingBeanScope.MyAccessEntitlementsReqBean.selectedUserDeleted".
Import the myEntitlements.jsff.xml file back to MDS. For information about importing file from MDS, see "Importing Metadata Files from MDS" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
This issue occurs when you upgrade Oracle Identity Manager 11g Release 2 (11.1.2.1.0) high availability environments to 11.1.2.2.0. After you create an application instance, when you click on the Edit link, the following exception is thrown:
[2013-12-19T05:28:48.624-08:00] [oim_server2] [ERROR] []
[oracle.adfinternal.view.faces.config.rich.RegistrationConfigurator] [tid:
[ACTIVE].ExecuteThread: '1'
for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm]
[ecid: 004vUC_6tzS1VcP5Ifp2if0006XN000CMz,0:1] [APP:
oracle.iam.console.identity.sysadmin.ear#V2.0] [URI: /sysadmin/faces/home]
ADF_FACES-60096:Server Exception during PPR, #3[[
oracle.adf.controller.security.AuthorizationException: ADFC-0619:
Authorization check failed:
'/WEB-INF/oracle/iam/ui/platform/common/templates/account-form-
template.xml#account-form-template' 'VIEW'.
at
oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(Au
thorizationEnforcer.java:182)
The workaround for this issue is to run the Middle Tier upgrade utility on the node that hosts the Administration Server.
This issue occurs after you upgrade Oracle Identity Manager 11g Release 2 (11.1.2) or 11g Release 2 (11.1.2.1.0) to 11.1.2.2.0.
After you upgrade Oracle Identity Manager to 11.1.2.2.0, when you click Regenerate View for the existing forms that contain entitlement attributes, the Generate Entitlement Forms option is not displayed. Use one of the following workarounds when this issue occurs:
Create new form for the affected application instance. The new form should work as expected, that is Generate Entitlement Forms option will be available for new forms.
Manually fix the existing form. The procedure for fixing the application instances whose entitlement attributes use Lookup code in the process form is different from the procedure for fixing the application instance whose entitlement attributes use Lookup Query in the process form. The entitlement attributes which use Lookup Code in the process form are represented as Lookup fields in the Form Designer. The entitlement attributes which use Lookup Query in the process form are represented as Text fields in the Form Designer. Depending upon what the entitlement attributes are using, complete one of the following procedures to manually fix the forms:
If the entitlement attribute is represented as Lookup field in the Form Designer, complete the following steps:
Go to Form Designer.
Select the form that you want to fix.
Open the entitlement attribute, and make sure you select Entitlement checkbox under Advanced section.
Save the changes.
Repeat the above steps for all the entitlement attributes.
If the entitlement attribute is represented as Text field in the Form Designer, complete the following steps:
You must manually fix the Form EO xml files. To do this, export the oim-ui MDS partition as a zip file by following the steps described in "Exporting Metadata Files to MDS" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Unzip the zip file. The Form EO xml files that need to be modified are located at /persdef/sessiondef/oracle/iam/ui/runtime/form/model/<FORM_NAME>/entity/mdssys/cust/site/site directory, where <FORM_NAME> is the name of the Form. The directory will contain one EO xml for parent form and N EO xmls for N child forms, where N is the number of child forms.
Open the child form EO xml in a text editor. Find the definition of the entitlement attribute and add the following property definition within the <Properties> section of the attribute definition:
<Property Name="oimEntitlement" Value="Y"/>
Repeat this step to fix all the child form EO xmls that have entitlement attributes.
Recreate the zip file and import it back using Enterprise Manager. For more information about importing metadata files, see "Importing Metadata Files from MDS" Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
This issue occurs when you upgrade Oracle Identity Manager binaries to 11g Release 2 (11.1.2.2.0). The supported OPatch version for Oracle Identity Manager upgrade is 11.1.0.9.9. Different OPatch version might cause patch application failure. The following error will be displayed in the install logs if incorrect OPatch version is used:
OPatch failed with error code 73 ] stderr=[ApplySession failed: ApplySession failed to prepare the system. To run in silent mode, OPatch requires a response file for Oracle Configuration Manager (OCM). Please run "/oracle/middleware/iam/OPatch/ocm/bin/emocmrsp" to generate an OCM response file. The generated response file can be reused on different platforms and in multiple OPatch silent installs."
The workaround for this issue is to ensure that the OPatch version in OIM_HOME and MW_HOME/oracle_common is 11.1.0.9.9, before you upgrade Oracle Identity Manager binaries to 11.1.2.2.0.
After binary upgrade, check the installer logs at the following location:
On UNIX: ORACLE_INVENTORY_LOCATION/logs
To find the location of the Oracle Inventory directory on UNIX, check the file ORACLE_HOME/oraInst.loc.
On Windows: ORACLE_INVENTORY_LOCATION\logs
The default location of the Oracle Inventory Directory on Windows is C:\Program Files\Oracle\Inventory\logs.
The following install log files are written to the log directory:
installDATE-TIME_STAMP.log
installDATE-TIME_STAMP.out
installActionsDATE-TIME_STAMP.log
installProfileDATE-TIME_STAMP.log
oraInstallDATE-TIME_STAMP.err
oraInstallDATE-TIME_STAMP.log
If any OPatch fails, apply the failed patches manually.
This issue occurs when you upgrade Oracle Identity Manager 11g Release 2 (11.1.2.1.0) environments which was upgraded from Oracle Identity Manager 11g Release 2 (11.1.2.0.0), to 11.1.2.2.0. When you generate the pre-upgrade report, it detects your existing OIM version as 11.1.2.0.0 instead of 11.1.2.1.0. If you check the schema version using the query select * from schema_version_registry, it shows 11.1.2.1.0. This occurs if XSD table values are not updated after schema upgrade.
The workaround for this issue is to manually update the version number in the XSD table, and then run the pre-upgrade report again. To do this, update XL_PATCH_BASE 11.1.2.0.0 to XL_PATCH_BASE 11.1.2.1.0 in the XSD table using the following query:
update XSD set XSD_VALUE='11.1.2.1.0' where XSD_CODE='XL_PATCH_BASE'
This issue occurs when you upgrade Oracle Identity Manager 11g Release 2 (11.1.2.1.0) to 11g Release 2 (11.1.2.2.0).
After you upgrade Oracle Identity Manager to 11.1.2.2.0, when you open a user, the following exception is displayed:
javax.servlet.ServletException: OracleJSP error: oracle.mds.exception.MDSRuntimeException: MDS-00010: DuplicateRefException. In document /oracle/iam/ui/runtime/form/view/pages/userCreateForm.jsff there are multiple elements with the same ID upfl_user.
The workaround for this issue is to add DataControl=CatalogAMDataControl entry in the userDetailsPageDef.xml file. To do this, complete the following steps:
Export the metadata file userDetailsPageDef.xml to MDS. The following is the full path to the file to be exported:
/oracle/iam/ui/manageusers/pages/mdssys/cust/site/site/userDetailsPageDef.xml
For information about exporting metadata files to MDS, see "Exporting Metadata Files to MDS" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Open the exported file in a text editor.
Add the entry DataControl=CatalogAMDataControl, if it does not exists already.
Save the file.
Import the userDetailsPageDef.xml back into the MDS. For information about importing metadata file, see "Importing Metadata Files from MDS" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
This issue occurs if you are upgrading Oracle Access Manager 11g Release 2 (11.1.2.0.0) environments which was previously upgraded from 11g Release 1 (11.1.1.5.0), to Oracle Access Manager 11g Release 2 (11.1.2.2.0).
When you run the upgradeConfig() command to upgrade the Access Manager system configurations, the following exception is displayed:
oracle.security.am.upgrade.framework.psfe.PSFEFramework process SEVERE: Exception has occurred while processing featureID: OAMEntityStore. Stopping the process after calling rollback. oracle.security.am.upgrade.framework.psfe.PSFEException: Plugin oracle.security.am.upgrade.framework.psfe.plugin.PolicyEntityPlugin reported validation failure for featureID: OAMEntityStore
The workaround for this issue is as follows:
Stop the Administration Server and the Access Manager Managed Server(s) if they are running.
Back up the upgrade.properties file located at $DOMAIN_HOME/config/fmwconfig. This is the same folder where oam-config.xml is located.
Run the upgradeConfig() command.
When you upgrade Oracle SOA Suite to 11g Release 1 (11.1.1.7.0) as part of the Oracle Identity Manager upgrade process, the following exception is displayed:
Exception [TOPLINK-106] (Oracle TopLink - 11g Release 1 (11.1.1.6.0) (Build 111018)): oracle.toplink.exceptions.DescriptorException Exception Description: The method [setSuccessStatusType] on the object is throwing an exception. Argument: [null] Internal Exception: java.lang.reflect.InvocationTargetException Target Invocation Exception: java.lang.IllegalArgumentException: The successStatusType must be of success type and not equal to null Mapping: oracle.toplink.mappings.TransformationMapping[successStatusType] Descriptor: RelationalDescriptor(oracle.sdpinternal.messaging.AddressImpl --> [DatabaseTable(ADDRESS)])
The workaround for this issue is to apply patch 17565911.
This section describes issues related to the following scenarios:
Migrating Oracle Access Manager 10g to Oracle Access Management Access Manager 11g Release 2 (11.1.2.2.0)
Migrating Oracle Adaptive Access Manager 10g to Oracle Adaptive Access Manager 11g Release 2 (11.1.2.2.0)
Migrating Oracle Single Sign-On 10g to Oracle Access Management Access Manager 11g Release 2 (11.1.2.2.0)
Migrating Sun OpenSSO Enterprise 8.0 to Oracle Access Management Access Manager 11g Release 2 (11.1.2.2.0)
Migrating Sun Java System Access Manager 7.1 to Oracle Access Management Access Manager 11g Release 2 (11.1.2.2.0)
Migrating Oracle Identity Analytics 11g Release 1 (11.1.1.5.0) to Oracle Identity Manager 11g Release 2 (11.1.2.2.0).
Coexistence of Oracle Access Manager 10g with Oracle Access Management Access Manager 11g Release 2 (11.1.2.2.0)
Coexistence of Sun OpenSSO Enterprise 8.0 with Oracle Access Management Access Manager 11g Release 2 (11.1.2.2.0)
Coexistence of Sun Java System Access Manager 7.1 with Oracle Access Management Access Manager 11g Release 2 (11.1.2.2.0)
This section describes general issues and workarounds related to the migration scenarios. It includes the following topics:
This issue occurs when you upgrade Oracle Single Sign-On 10g to Oracle Access Management Access Manager 11g Release 2 (11.1.2.2.0). If errors occurs during the execution of the Upgrade Assistant which require you to re-run the process, there is a possibility that required osso.conf files will not be generated, in the location specified in the Upgrade Assistant Summary screen, at the end of the process.
If this occurs, the osso.conf files needed to complete the upgrade, can also be found in the following directory:
<MW_HOME>/user_projects/domains/<Domain_Home>/output/upgrade
Known issue.
The server logs and assessment report shows only English messages when you migrate the following components to Oracle Access Management Access Manager 11g Release 2 (11.1.2.2.0):
Oracle Access Manager 10g
Sun OpenSSO Enterprise 8.0
Sun Java System Access Manager 7.1
This issue occurs when you register Policy Agent 2.2 in Oracle Access Management 11.1.2.2.0 Server using Remote Registration tool (RREG), during migration. This is because of the unavailability of the agent template.
The workaround for this issue is as follows:
Copy the oam-admin.ear from the following directory to a temporary location:
On Unix: MW_HOME/oam/server/apps/
On Windows: MW_HOME\oam\server\apps\
Unpack the oam-admin.ear file in any desired location. The oam-admin.ear contains ngam-ui.war file.
Unpack the ngam-ui.war file in any desired location. The ngam-ui.war contains oam-migrate.jar file.
Unpack the oam-migrate.jar file in any desired location.
Go to the following directory from the location where you have unpacked the oam-migrate.jar:
On UNIX: oracle/security/am/migrate/OpenSSO/resources/templates/
On Windows: oracle\security\am\migrate\OpenSSO\resources\templates\
Complete the following steps depending on the type of 2.2 Policy Agent:
For 2.2 J2EE Agent:
On UNIX: Copy the AMAgent.template from the directory ../templates/j2eeagents to the location MW_HOME/RReg_Home/templates/opensso/j2eeagents
On Windows: Copy the AMAgent.template from the directory ..\templates\j2eeagents to the location MW_HOME\RReg_Home\templates\opensso\j2eeagents
For 2.2 Web Agent:
On UNIX: Copy the AMAgent.template from the directory ../templates/webagents to the location MW_HOME/RReg_Home/templates/opensso/webagents
On Windows: Copy the AMAgent.template from the directory ..\templates\webagents to the location MW_HOME\RReg_Home\templates\opensso\webagents
This issue occurs when you migrate Oracle Access Manager 10g to Access Manager 11.1.2.2.0. When you perform incremental migration in evaluate_only mode, the assessment report contains the following:
Authentication schemes that were not selected for migration
All host identifiers instead of the selected ones
This is a known issue. In this case, extra artifacts of type authentication scheme and host identifiers get migrated; However, this will not cause any adverse impact on the usage of migrated policies.
This issue occurs when you migrate Oracle Access Manager 10g to Access Manager 11.1.2.2.0. When you perform delta migration, all host identifiers and authentication schemes appear in the assessment report, and the delta migration tries to create all host identifiers and authentication schemes again.
This is a known issue. In this case, extra artifacts of type authentication scheme and host identifiers get migrated; However, this will not cause any adverse impact on the usage of migrated policies.
Oracle Fusion Middleware Migration Guide for Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) discusses how to migrate various Single Sign-On and Access Management environments to Oracle Access Management 11g Release 2 (11.1.2.2.0). You should use this guide for information about upgrade, migration, and coexistence procedures.
If necessary, you can read the following support note for any late-breaking information and changes: